Processor Hardware Security Vulnerabilities and their Detection by Unique Program Execution Checking

Recent discovery of security attacks in advanced processors, known as Spectre and Meltdown, has resulted in high public alertness about security of hardware. The root cause of these attacks is information leakage across covert channels that reveal secret data without any explicit information flow between the secret and the attacker. Many sources believe that such covert channels are intrinsic to highly advanced processor architectures based on speculation and out-of-order execution, suggesting that such security risks can be avoided by staying away from high-end processors. This paper, however, shows that the problem is of wider scope: we present new classes of covert channel attacks which are possible in average-complexity processors with in-order pipelining, as they are mainstream in applications ranging from Internet-of-Things to Autonomous Systems.We present a new approach as a foundation for remedy against covert channels: while all previous attacks were found by clever thinking of human attackers, this paper presents a formal method called Unique Program Execution Checking which detects and locates vulnerabilities to covert channels systematically, including those to covert channels unknown so far.

[1]  Jean-Pierre Seifert,et al.  Cheap Hardware Parallelism Implies Cheap Security , 2007, Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007).

[2]  Simha Sethumadhavan,et al.  Side-channel vulnerability factor: A metric for measuring information leakage , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[3]  Sebastian Mödersheim,et al.  ASLan++ - A Formal Security Specification Language for Distributed Systems , 2010, FMCO.

[4]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[5]  Jean-Pierre Seifert,et al.  Deconstructing new cache designs for thwarting software cache-based side channel attacks , 2008, CSAW '08.

[6]  Sharad Malik,et al.  Verifying information flow properties of firmware using symbolic execution , 2016, 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[7]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[8]  Guru Venkataramani,et al.  CC-Hunter: Uncovering Covert Timing Channels on Shared Processor Hardware , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[9]  Wei Hu,et al.  Register transfer level information flow tracking for provably secure hardware design , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[10]  Luigi V. Mancini,et al.  Towards a formal model for security policies specification and validation in the selinux system , 2004, SACMAT '04.

[11]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[12]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[13]  Donald J. Patterson,et al.  Computer organization and design: the hardware-software interface (appendix a , 1993 .

[14]  Yuval Yarom,et al.  CacheBleed: a timing attack on OpenSSL constant-time RSA , 2016, Journal of Cryptographic Engineering.

[15]  Pramod Subramanyan,et al.  Formal verification of taint-propagation security properties in a commercial SoC design , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[16]  Darshana Jayasinghe,et al.  Constant time encryption as a countermeasure against remote cache timing attacks , 2012, 2012 IEEE 6th International Conference on Information and Automation for Sustainability.

[17]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[18]  Frederic T. Chong,et al.  Crafting a usable microkernel, processor, and I/O system with strict and provable information flow security , 2011, 2011 38th Annual International Symposium on Computer Architecture (ISCA).

[19]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[20]  Juliane Junker,et al.  Computer Organization And Design The Hardware Software Interface , 2016 .

[21]  Andrew Waterman,et al.  The RISC-V Instruction Set Manual. Volume 1: User-Level ISA, Version 2.0 , 2014 .

[22]  Ying Gao,et al.  SurfNoC: a low latency and provably non-interfering approach to secure networks-on-chip , 2013, ISCA.

[23]  Yao Wang,et al.  A Hardware Design Language for Timing-Sensitive Information-Flow Security , 2015, ASPLOS.

[24]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[25]  John Demme,et al.  Side-Channel Vulnerability Metrics : SVF vs . CSV , 2014 .

[26]  Stefan Mangard,et al.  Reverse Engineering Intel DRAM Addressing and Exploitation , 2015, ArXiv.

[27]  Markus Wedler,et al.  Unbounded Protocol Compliance Verification Using Interval Property Checking With Invariants , 2008, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[28]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[29]  Michael Hamburg,et al.  Meltdown , 2018, meltdownattack.com.

[30]  Yunsup Lee,et al.  The RISC-V Instruction Set Manual , 2014 .

[31]  Wei Hu,et al.  Identifying and Measuring Security Critical Path for Uncovering Circuit Vulnerabilities , 2017, 2017 18th International Workshop on Microprocessor and SOC Test and Verification (MTV).

[32]  Gianpiero Cabodi,et al.  Embedded Systems Secure Path Verification at the Hardware/Software Interface , 2017, IEEE Design & Test.

[33]  Nael B. Abu-Ghazaleh,et al.  A Predictive Model for Cache-Based Side Channels in Multicore and Multithreaded Microprocessors , 2010, MMM-ACNS.

[34]  Frederic T. Chong,et al.  Complete information flow tracking from the gates up , 2009, ASPLOS.

[35]  Edmund M. Clarke,et al.  Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons , 1982, Sci. Comput. Program..

[36]  Margaret Martonosi,et al.  MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols , 2018, ArXiv.

[37]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[38]  Dominik Stoffel,et al.  Symbolic quick error detection using symbolic initial state for pre-silicon verification , 2018, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[39]  G. Cabodi,et al.  Secure embedded architectures: Taint properties verification , 2016, 2016 International Conference on Development and Application Systems (DAS).

[40]  Adam M. Izraelevitz,et al.  The Rocket Chip Generator , 2016 .

[41]  Ryan Kastner,et al.  Leveraging Gate-Level Properties to Identify Hardware Timing Channels , 2014, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[42]  Wei Hu,et al.  Clepsydra: Modeling timing flows in hardware designs , 2017, 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).